Whilst doing some random googling and looking at some of the last pages to try and discover some new techniques, I noticed a recurring pattern in some sites which came up. Then, I noticed this was a method for promoting malware with some interesting ways. This is a writeup on this method.
In case you don’t know, forums are a popular form of websites for discussing topics, usually having sites dedicated to certain things like computing, companies / projects (like Mozilla, etc). Most of these are legitmate, having actual people talking and most people not being malicious; however these sites are completely fake.
The forums I found were essentially HTML templates, swapping some text with what is included in a query parameter (like
Here is Site 1 with the original URL
Here is Site 2 with the original URL
Here is Site 3 with the original URL
As you can see, the sites are near identical with small differences:
- Slightly different text in posts
- Different original post name and content, via query parameter or filename
- Different usernames
Other than username, the users are identical:
- Profile picture
- Join date
- Post count
How they promote in these fake forums is luring users into a false sense of security by having the fake forum members say the links are legitimate. These can be seen in the posts below the message with the link: (text in  is added by me for clarification)
User 1: But it requires CC [credit card information].
User 2: Yes, just fill it [CC] in, its trusted site.
User 1: Thanks, CC just to make sure you aren’t bot.
User 3: Thanks guys, looked for this long time too.
User 4: Oh man, that’s great, thank, solid website, entered CC and just downloaded what I needed.
The link goes to various different sites which eventually asks the user to create an account, then scamming them via requiring credit card information. One interesting thing is a what looks to be a referral system.
The ways these sites seem to profit is via a referral / partner system. This can be seen in the sites you go to when clicking one of the links in one of the forums (domains replaced with examples):
- Fake forum:
- Redirect PHP script:
- Randomised partner site with passed on info (template name, referral from site):
- Link from that site:
- Redirected from above: